diff --git a/SOURCES/nfs-blkmap.service b/SOURCES/nfs-blkmap.service deleted file mode 100644 index c026492..0000000 --- a/SOURCES/nfs-blkmap.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=pNFS block layout mapping daemon -Wants=var-lib-nfs-rpc_pipefs.mount -Requires=var-lib-nfs-rpc_pipefs.mount - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=/usr/sbin/blkmapd $BLKMAPDARGS - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-idmap.service b/SOURCES/nfs-idmap.service deleted file mode 100644 index 872ae09..0000000 --- a/SOURCES/nfs-idmap.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=NFSv4 ID-name mapping daemon -BindTo=nfs-server.service -After=nfs-server.service - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=/usr/sbin/rpc.idmapd $RPCIDMAPDARGS - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-lock.preconfig b/SOURCES/nfs-lock.preconfig deleted file mode 100644 index dbd6965..0000000 --- a/SOURCES/nfs-lock.preconfig +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -. /etc/sysconfig/nfs - -# Make sure lockd is loaded -/sbin/modprobe -q lockd $LOCKDARG - -# See if the kernel lockd should start up -# listening on a particular port -# -if [ -n "$LOCKD_TCPPORT" ]; then - /sbin/sysctl -w fs.nfs.nlm_tcpport=$LOCKD_TCPPORT >/dev/null 2>&1 -fi -if [ -n "$LOCKD_UDPPORT" ]; then - /sbin/sysctl -w fs.nfs.nlm_udpport=$LOCKD_UDPPORT >/dev/null 2>&1 -fi - diff --git a/SOURCES/nfs-lock.service b/SOURCES/nfs-lock.service deleted file mode 100644 index d5f0a99..0000000 --- a/SOURCES/nfs-lock.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=NFS file locking service. -Requires=rpcbind.service network.target -After=network.target named.service rpcbind.service -Before=remote-fs-pre.target - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStartPre=/usr/libexec/nfs-utils/scripts/nfs-lock.preconfig -ExecStart=/sbin/rpc.statd $STATDARG -# Make sure lockd's ports are reset -ExecStopPost=-/sbin/sysctl -w fs.nfs.nlm_tcpport=0 fs.nfs.nlm_udpport=0 - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-mountd.service b/SOURCES/nfs-mountd.service deleted file mode 100644 index fca16ac..0000000 --- a/SOURCES/nfs-mountd.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=NFS Mount Daemon -BindTo=nfs-server.service - -[Service] -Type=forking -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=/usr/sbin/rpc.mountd $RPCMOUNTDOPTS -StandardError=syslog+console - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-rquotad.service b/SOURCES/nfs-rquotad.service deleted file mode 100644 index c305aaa..0000000 --- a/SOURCES/nfs-rquotad.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=NFS Remote Quota Server -BindTo=nfs-server.service -After=nfs-server.service - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=-/usr/sbin/rpc.rquotad $RPCRQUOTADOPTS - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-secure-server.service b/SOURCES/nfs-secure-server.service deleted file mode 100644 index 1b9c0f4..0000000 --- a/SOURCES/nfs-secure-server.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Secure NFS Server -Requires=var-lib-nfs-rpc_pipefs.mount nfs-server.service -After=syslog.target var-lib-nfs-rpc_pipefs.mount nfs-server.service - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=/usr/sbin/rpc.svcgssd $RPCSVCGSSDARGS - -[Install] -WantedBy=nfs.target - diff --git a/SOURCES/nfs-secure.service b/SOURCES/nfs-secure.service deleted file mode 100644 index 32a33ea..0000000 --- a/SOURCES/nfs-secure.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Secure NFS -Requires=var-lib-nfs-rpc_pipefs.mount -After=syslog.target var-lib-nfs-rpc_pipefs.mount - -[Service] -Type=forking -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS - -[Install] -WantedBy=nfs.target diff --git a/SOURCES/nfs-server.preconfig b/SOURCES/nfs-server.preconfig deleted file mode 100644 index d965dbe..0000000 --- a/SOURCES/nfs-server.preconfig +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -. /etc/sysconfig/nfs - -# Set v4 grace period if requested -if [ -n "$NFSD_V4_GRACE" ]; then - echo "$NFSD_V4_GRACE" > /proc/fs/nfsd/nfsv4gracetime -fi - -exit 0 diff --git a/SOURCES/nfs-server.service b/SOURCES/nfs-server.service deleted file mode 100644 index 6f8ccb4..0000000 --- a/SOURCES/nfs-server.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=NFS Server -Requires=proc-fs-nfsd.mount var-lib-nfs-rpc_pipefs.mount rpcbind.service -Requires=nfs-idmap.service nfs-mountd.service nfs-rquotad.service -After=network.target named.service nfs-lock.service nfs-mountd.service - -[Service] -Type=oneshot -RemainAfterExit=yes -StandardError=syslog+console -EnvironmentFile=-/etc/sysconfig/nfs -ExecStartPre=/usr/libexec/nfs-utils/scripts/nfs-server.preconfig -ExecStartPre=/usr/sbin/exportfs -r -ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS $RPCNFSDCOUNT -ExecStop=/usr/sbin/rpc.nfsd 0 -ExecStopPost=/usr/sbin/exportfs -f -ExecReload=/usr/sbin/exportfs -r - -[Install] -WantedBy=nfs.target -Also=nfs.target diff --git a/SOURCES/nfs-utils-1.3.0-exportfs-NULL-pointer-test.patch b/SOURCES/nfs-utils-1.3.0-exportfs-NULL-pointer-test.patch new file mode 100644 index 0000000..f87c7bf --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-exportfs-NULL-pointer-test.patch @@ -0,0 +1,46 @@ +commit d89e3fc7d3b14dea481bd9af0bca996ced689bf6 +Author: Natanael Copa +Date: Fri Sep 12 13:19:01 2014 -0400 + + exportfs: fix test of NULL pointer in host_pton() + + This fixes the problem reported in: + https://bugzilla.redhat.com/show_bug.cgi?id=1083018 + + Signed-off-by: Natanael Copa + Signed-off-by: Steve Dickson + +diff --git a/support/export/hostname.c b/support/export/hostname.c +index ad595d1..d9153e1 100644 +--- a/support/export/hostname.c ++++ b/support/export/hostname.c +@@ -115,6 +115,11 @@ host_pton(const char *paddr) + * have a real AF_INET presentation address, before invoking + * getaddrinfo(3) to generate the full addrinfo list. + */ ++ if (paddr == NULL) { ++ xlog(D_GENERAL, "%s: passed a NULL presentation address", ++ __func__); ++ return NULL; ++ } + inet4 = 1; + if (inet_pton(AF_INET, paddr, &sin.sin_addr) == 0) + inet4 = 0; +@@ -123,15 +128,12 @@ host_pton(const char *paddr) + switch (error) { + case 0: + if (!inet4 && ai->ai_addr->sa_family == AF_INET) { ++ xlog(D_GENERAL, "%s: failed to convert %s", ++ __func__, paddr); + freeaddrinfo(ai); + break; + } + return ai; +- case EAI_NONAME: +- if (paddr == NULL) +- xlog(D_GENERAL, "%s: passed a NULL presentation address", +- __func__); +- break; + case EAI_SYSTEM: + xlog(D_GENERAL, "%s: failed to convert %s: (%d) %m", + __func__, paddr, errno); diff --git a/SOURCES/nfs-utils-1.3.0-exportfs-ipv6-arg.patch b/SOURCES/nfs-utils-1.3.0-exportfs-ipv6-arg.patch new file mode 100644 index 0000000..e6390a9 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-exportfs-ipv6-arg.patch @@ -0,0 +1,87 @@ +commit 7f5f7fe118b87fbc6a2c6cc52aff808564d907a4 +Author: Todd Vierling +Date: Fri Sep 19 10:32:55 2014 -0400 + + exportfs: Properly parse IPv6 literal strings with null termination + + The original implementation was using strncpy() with a truncation + length to an uninitialized stack buffer, leaving a string that + was only null terminated by luck. + + While here, change to use no-copy semantics (no extra buffer) to + avoid buffer overflows altogether. exportfs already modifies argv + contents elsewhere, so this doesn't break anything anew. + + Fixes: 4663c648 (exportfs: Support raw IPv6 addresses with + "client:/path") + + Signed-off-by: Todd Vierling + Reviewed-by: Chuck Lever + Signed-off-by: Steve Dickson + +diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c +index e7d1ac8..bdea12b 100644 +--- a/utils/exportfs/exportfs.c ++++ b/utils/exportfs/exportfs.c +@@ -351,16 +351,15 @@ static int exportfs_generic(char *arg, char *options, int verbose) + + static int exportfs_ipv6(char *arg, char *options, int verbose) + { +- char *path, *c, hname[NI_MAXHOST + strlen("/128")]; ++ char *path, *c; + + arg++; + c = strchr(arg, ']'); + if (c == NULL) + return 1; +- strncpy(hname, arg, c - arg); + + /* no colon means this is a wildcarded DNS hostname */ +- if (strchr(hname, ':') == NULL) ++ if (memchr(arg, ':', c - arg) == NULL) + return exportfs_generic(--arg, options, verbose); + + path = strstr(c, ":/"); +@@ -370,9 +369,9 @@ static int exportfs_ipv6(char *arg, char *options, int verbose) + + /* if there's anything between the closing brace and the + * path separator, it's probably a prefix length */ +- strcat(hname, ++c); ++ memmove(c, c + 1, path - c); + +- exportfs_parsed(hname, path, options, verbose); ++ exportfs_parsed(arg, path, options, verbose); + return 0; + } + +@@ -458,16 +457,15 @@ static int unexportfs_generic(char *arg, int verbose) + + static int unexportfs_ipv6(char *arg, int verbose) + { +- char *path, *c, hname[NI_MAXHOST + strlen("/128")]; ++ char *path, *c; + + arg++; + c = strchr(arg, ']'); + if (c == NULL) + return 1; +- strncpy(hname, arg, c - arg); + + /* no colon means this is a wildcarded DNS hostname */ +- if (strchr(hname, ':') == NULL) ++ if (memchr(arg, ':', c - arg) == NULL) + return unexportfs_generic(--arg, verbose); + + path = strstr(c, ":/"); +@@ -477,9 +475,9 @@ static int unexportfs_ipv6(char *arg, int verbose) + + /* if there's anything between the closing brace and the + * path separator, it's probably a prefix length */ +- strcat(hname, ++c); ++ memmove(c, c + 1, path - c); + +- unexportfs_parsed(hname, path, verbose); ++ unexportfs_parsed(arg, path, verbose); + return 0; + } + diff --git a/SOURCES/nfs-utils-1.3.0-exportfs-noreaddirplus.patch b/SOURCES/nfs-utils-1.3.0-exportfs-noreaddirplus.patch new file mode 100644 index 0000000..bca0510 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-exportfs-noreaddirplus.patch @@ -0,0 +1,83 @@ +commit 4017afe28d640c535109576bd149bc7e0345f075 +Author: Rajesh Ghanekar +Date: Wed Aug 20 14:00:59 2014 -0400 + + nfs-utils: Allow turning off nfsv3 readdir_plus + + One of our customer's application only needs file names, not file + attributes. With directories having 10K+ inodes (assuming buffer cache + has directory blocks cached having file names, but inode cache is + limited and hence need eviction of older cached inodes), older inodes + are evicted periodically. So if they keep on doing readdir(2) from NSF + client on multiple directories, some directory's files are periodically + removed from inode cache and hence new readdir(2) on same directory + requires disk access to bring back inodes again to inode cache. + + As READDIRPLUS request fetches attributes also, doing getattr on each + file on server, it causes unnecessary disk accesses. If READDIRPLUS on + NFS client is returned with -ENOTSUPP, NFS client uses READDIR request + which just gets the names of the files in a directory, not attributes, + hence avoiding disk accesses on server. + + There's already a corresponding client-side mount option, but an export + option reduces the need for configuration across multiple clients. + + This flag affects NFSv3 only. If it turns out it's needed for NFSv4 as + well then we may have to figure out how to extend the behavior to NFSv4, + but it's not currently obvious how to do that. + + Signed-off-by: Rajesh Ghanekar + Signed-off-by: Steve Dickson + +diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h +index 1547a87..2f59e6a 100644 +--- a/support/include/nfs/export.h ++++ b/support/include/nfs/export.h +@@ -17,7 +17,8 @@ + #define NFSEXP_ALLSQUASH 0x0008 + #define NFSEXP_ASYNC 0x0010 + #define NFSEXP_GATHERED_WRITES 0x0020 +-/* 40, 80, 100 unused */ ++#define NFSEXP_NOREADDIRPLUS 0x0040 ++/* 80, 100 unused */ + #define NFSEXP_NOHIDE 0x0200 + #define NFSEXP_NOSUBTREECHECK 0x0400 + #define NFSEXP_NOAUTHNLM 0x0800 +diff --git a/support/nfs/exports.c b/support/nfs/exports.c +index 819d6c4..eb782b9 100644 +--- a/support/nfs/exports.c ++++ b/support/nfs/exports.c +@@ -273,6 +273,8 @@ putexportent(struct exportent *ep) + "in" : ""); + fprintf(fp, "%sacl,", (ep->e_flags & NFSEXP_NOACL)? + "no_" : ""); ++ if (ep->e_flags & NFSEXP_NOREADDIRPLUS) ++ fprintf(fp, "nordirplus,"); + if (ep->e_flags & NFSEXP_FSID) { + fprintf(fp, "fsid=%d,", ep->e_fsid); + } +@@ -539,6 +541,8 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr) + clearflags(NFSEXP_ASYNC, active, ep); + else if (!strcmp(opt, "async")) + setflags(NFSEXP_ASYNC, active, ep); ++ else if (!strcmp(opt, "nordirplus")) ++ setflags(NFSEXP_NOREADDIRPLUS, active, ep); + else if (!strcmp(opt, "nohide")) + setflags(NFSEXP_NOHIDE, active, ep); + else if (!strcmp(opt, "hide")) +diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man +index e8b29df..3d974d9 100644 +--- a/utils/exportfs/exports.man ++++ b/utils/exportfs/exports.man +@@ -360,6 +360,11 @@ supported so the same configuration can be made to work on old and new + kernels alike. + + .TP ++.IR nordirplus ++This option will disable READDIRPLUS request handling. When set, ++READDIRPLUS requests from NFS clients return NFS3ERR_NOTSUPP, and ++clients fall back on READDIR. This option affects only NFSv3 clients. ++.TP + .IR refer= path@host[+host][:path@host[+host]] + A client referencing the export point will be directed to choose from + the given list an alternative location for the filesystem. diff --git a/SOURCES/nfs-utils-1.3.0-gssproxy.patch b/SOURCES/nfs-utils-1.3.0-gssproxy.patch new file mode 100644 index 0000000..585cf10 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-gssproxy.patch @@ -0,0 +1,60 @@ +diff -up nfs-utils-1.3.0/systemd/auth-rpcgss-module.service.orig nfs-utils-1.3.0/systemd/auth-rpcgss-module.service +--- nfs-utils-1.3.0/systemd/auth-rpcgss-module.service.orig 2014-09-30 14:51:14.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/auth-rpcgss-module.service 2014-09-30 14:51:14.000000000 -0400 +@@ -0,0 +1,15 @@ ++# We want to start gss-proxy on kernels that support it and rpc.svcgssd ++# on those that don't. Those services check for support by checking ++# for existence of the path /proc/net/rpc/use-gss-proxy. Before they ++# can perform that check, they need this module loaded. (Unless ++# rpcsec_gss support is built directly into the kernel, in which case this ++# unit will fail. But that's OK.) ++[Unit] ++Description=Kernel Module supporting RPCSEC_GSS ++Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service ++Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service ++ConditionPathExists=/etc/krb5.keytab ++ ++[Service] ++Type=oneshot ++ExecStart=/sbin/modprobe -q auth_rpcgss +diff -up nfs-utils-1.3.0/systemd/nfs-client.target.orig nfs-utils-1.3.0/systemd/nfs-client.target +--- nfs-utils-1.3.0/systemd/nfs-client.target.orig 2014-09-30 14:51:14.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/nfs-client.target 2014-09-30 14:51:55.000000000 -0400 +@@ -5,9 +5,12 @@ Wants=remote-fs-pre.target + + # Note: we don't "Wants=rpc-statd.service" as "mount.nfs" will arrange to + # start that on demand if needed. +-Wants=rpc-gssd.service rpc-svcgssd.service + Wants=nfs-blkmap.service rpc-statd-notify.service +-After=rpc-gssd.service rpc-svcgssd.service nfs-blkmap.service ++After=nfs-blkmap.service ++ ++# GSS services dependencies and ordering ++Wants=auth-rpcgss-module.service ++After=rpc-gssd.service rpc-svcgssd.service gssproxy.service + + [Install] + WantedBy=multi-user.target +diff -up nfs-utils-1.3.0/systemd/nfs-server.service.orig nfs-utils-1.3.0/systemd/nfs-server.service +--- nfs-utils-1.3.0/systemd/nfs-server.service.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/nfs-server.service 2014-09-30 14:51:14.000000000 -0400 +@@ -2,14 +2,17 @@ + Description=NFS server and services + Requires= network.target proc-fs-nfsd.mount rpcbind.target + Requires= nfs-mountd.service +-Wants=rpc-statd.service nfs-idmapd.service rpc-gssd.service rpc-svcgssd.service ++Wants=rpc-statd.service nfs-idmapd.service + Wants=rpc-statd-notify.service + + After= network.target proc-fs-nfsd.mount rpcbind.target nfs-mountd.service + After= nfs-idmapd.service rpc-statd.service +-After= rpc-gssd.service rpc-svcgssd.service + Before= rpc-statd-notify.service + ++# GSS services dependencies and ordering ++Wants=auth-rpcgss-module.service ++After=rpc-gssd.service gssproxy.service rpc-svcgssd.service ++ + Wants=nfs-config.service + After=nfs-config.service + diff --git a/SOURCES/nfs-utils-1.3.0-libmount-umount-verbose.patch b/SOURCES/nfs-utils-1.3.0-libmount-umount-verbose.patch new file mode 100644 index 0000000..89cd24c --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-libmount-umount-verbose.patch @@ -0,0 +1,45 @@ +diff -up nfs-utils-1.3.0/utils/mount/mount_libmount.c.orig nfs-utils-1.3.0/utils/mount/mount_libmount.c +--- nfs-utils-1.3.0/utils/mount/mount_libmount.c.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/utils/mount/mount_libmount.c 2014-10-24 09:46:11.158190704 -0400 +@@ -173,7 +173,7 @@ static int umount_main(struct libmnt_con + { + int rc, c; + char *spec = NULL, *opts = NULL; +- int ret = EX_FAIL; ++ int ret = EX_FAIL, verbose = 0; + + static const struct option longopts[] = { + { "force", 0, 0, 'f' }, +@@ -200,6 +200,8 @@ static int umount_main(struct libmnt_con + return EX_USAGE; + } + ++ verbose = mnt_context_is_verbose(cxt); ++ + if (optind < argc) + spec = argv[optind++]; + +@@ -227,6 +229,10 @@ static int umount_main(struct libmnt_con + goto err; + } + ++ if (verbose) ++ printf(_("%s: %s mount point detected\n"), spec, ++ mnt_context_get_fstype(cxt)); ++ + opts = retrieve_mount_options(mnt_context_get_fs(cxt)); + + if (!mnt_context_is_lazy(cxt)) { +@@ -262,6 +268,12 @@ static int umount_main(struct libmnt_con + } + ret = EX_SUCCESS; + err: ++ if (verbose) { ++ if (ret == EX_SUCCESS) ++ printf(_("%s: umounted\n"), spec); ++ else ++ printf(_("%s: umount failed\n"), spec); ++ } + free(opts); + return ret; + } diff --git a/SOURCES/nfs-utils-1.3.0-mountd-dos.patch b/SOURCES/nfs-utils-1.3.0-mountd-dos.patch new file mode 100644 index 0000000..93a19ed --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-mountd-dos.patch @@ -0,0 +1,168 @@ +diff -up nfs-utils-1.3.0/support/include/nfslib.h.orig nfs-utils-1.3.0/support/include/nfslib.h +--- nfs-utils-1.3.0/support/include/nfslib.h.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/support/include/nfslib.h 2014-11-14 11:16:06.785633197 -0500 +@@ -174,6 +174,7 @@ void closeall(int min); + + int svctcp_socket (u_long __number, int __reuse); + int svcudp_socket (u_long __number); ++int svcsock_nonblock (int __sock); + + /* Misc shared code prototypes */ + size_t strlcat(char *, const char *, size_t); +diff -up nfs-utils-1.3.0/support/nfs/rpcmisc.c.orig nfs-utils-1.3.0/support/nfs/rpcmisc.c +--- nfs-utils-1.3.0/support/nfs/rpcmisc.c.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/support/nfs/rpcmisc.c 2014-11-14 11:16:06.785633197 -0500 +@@ -104,7 +104,7 @@ makesock(int port, int proto) + return -1; + } + +- return sock; ++ return svcsock_nonblock(sock); + } + + void +diff -up nfs-utils-1.3.0/support/nfs/svc_create.c.orig nfs-utils-1.3.0/support/nfs/svc_create.c +--- nfs-utils-1.3.0/support/nfs/svc_create.c.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/support/nfs/svc_create.c 2014-11-14 11:16:06.785633197 -0500 +@@ -49,6 +49,8 @@ + + #ifdef HAVE_LIBTIRPC + ++#include ++ + #define SVC_CREATE_XPRT_CACHE_SIZE (8) + static SVCXPRT *svc_create_xprt_cache[SVC_CREATE_XPRT_CACHE_SIZE] = { NULL, }; + +@@ -277,6 +279,12 @@ svc_create_nconf_rand_port(const char *n + "(%s, %u, %s)", name, version, nconf->nc_netid); + return 0; + } ++ if (svcsock_nonblock(xprt->xp_fd) < 0) { ++ /* close() already done by svcsock_nonblock() */ ++ xprt->xp_fd = RPC_ANYFD; ++ SVC_DESTROY(xprt); ++ return 0; ++ } + + if (!svc_reg(xprt, program, version, dispatch, nconf)) { + /* svc_reg(3) destroys @xprt in this case */ +@@ -332,6 +340,7 @@ svc_create_nconf_fixed_port(const char * + int fd; + + fd = svc_create_sock(ai->ai_addr, ai->ai_addrlen, nconf); ++ fd = svcsock_nonblock(fd); + if (fd == -1) + goto out_free; + +@@ -394,6 +403,7 @@ nfs_svc_create(char *name, const rpcprog + const struct sigaction create_sigaction = { + .sa_handler = SIG_IGN, + }; ++ int maxrec = RPC_MAXDATASIZE; + unsigned int visible, up, servport; + struct netconfig *nconf; + void *handlep; +@@ -405,6 +415,20 @@ nfs_svc_create(char *name, const rpcprog + */ + (void)sigaction(SIGPIPE, &create_sigaction, NULL); + ++ /* ++ * Setting MAXREC also enables non-blocking mode for tcp connections. ++ * This avoids DOS attacks by a client sending many requests but never ++ * reading the reply: ++ * - if a second request already is present for reading in the socket, ++ * after the first request just was read, libtirpc will break the ++ * connection. Thus an attacker can't simply send requests as fast as ++ * he can without waiting for the response. ++ * - if the write buffer of the socket is full, the next write() will ++ * fail with EAGAIN. libtirpc will retry the write in a loop for max. ++ * 2 seconds. If write still fails, the connection will be closed. ++ */ ++ rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrec); ++ + handlep = setnetconfig(); + if (handlep == NULL) { + xlog(L_ERROR, "Failed to access local netconfig database: %s", +diff -up nfs-utils-1.3.0/support/nfs/svc_socket.c.orig nfs-utils-1.3.0/support/nfs/svc_socket.c +--- nfs-utils-1.3.0/support/nfs/svc_socket.c.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/support/nfs/svc_socket.c 2014-11-14 11:16:06.785633197 -0500 +@@ -67,6 +67,39 @@ int getservport(u_long number, const cha + return 0; + } + ++int ++svcsock_nonblock(int sock) ++{ ++ int flags; ++ ++ if (sock < 0) ++ return sock; ++ ++ /* This socket might be shared among multiple processes ++ * if mountd is run multi-threaded. So it is safest to ++ * make it non-blocking, else all threads might wake ++ * one will get the data, and the others will block ++ * indefinitely. ++ * In all cases, transaction on this socket are atomic ++ * (accept for TCP, packet-read and packet-write for UDP) ++ * so O_NONBLOCK will not confuse unprepared code causing ++ * it to corrupt messages. ++ * It generally safest to have O_NONBLOCK when doing an accept ++ * as if we get a RST after the SYN and before accept runs, ++ * we can block despite being told there was an acceptable ++ * connection. ++ */ ++ if ((flags = fcntl(sock, F_GETFL)) < 0) ++ perror(_("svc_socket: can't get socket flags")); ++ else if (fcntl(sock, F_SETFL, flags|O_NONBLOCK) < 0) ++ perror(_("svc_socket: can't set socket flags")); ++ else ++ return sock; ++ ++ (void) __close(sock); ++ return -1; ++} ++ + static int + svc_socket (u_long number, int type, int protocol, int reuse) + { +@@ -104,38 +137,7 @@ svc_socket (u_long number, int type, int + sock = -1; + } + +- if (sock >= 0) +- { +- /* This socket might be shared among multiple processes +- * if mountd is run multi-threaded. So it is safest to +- * make it non-blocking, else all threads might wake +- * one will get the data, and the others will block +- * indefinitely. +- * In all cases, transaction on this socket are atomic +- * (accept for TCP, packet-read and packet-write for UDP) +- * so O_NONBLOCK will not confuse unprepared code causing +- * it to corrupt messages. +- * It generally safest to have O_NONBLOCK when doing an accept +- * as if we get a RST after the SYN and before accept runs, +- * we can block despite being told there was an acceptable +- * connection. +- */ +- int flags; +- if ((flags = fcntl(sock, F_GETFL)) < 0) +- { +- perror (_("svc_socket: can't get socket flags")); +- (void) __close (sock); +- sock = -1; +- } +- else if (fcntl(sock, F_SETFL, flags|O_NONBLOCK) < 0) +- { +- perror (_("svc_socket: can't set socket flags")); +- (void) __close (sock); +- sock = -1; +- } +- } +- +- return sock; ++ return svcsock_nonblock(sock); + } + + /* diff --git a/SOURCES/nfs-utils-1.3.0-mountd-start-statd-path.patch b/SOURCES/nfs-utils-1.3.0-mountd-start-statd-path.patch new file mode 100644 index 0000000..47194f7 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-mountd-start-statd-path.patch @@ -0,0 +1,29 @@ +commit edbbbe099bf4d4902f29d087239d6d159ac2187d +Author: Kinglong Mee +Date: Fri Apr 25 10:28:47 2014 -0400 + + systemd: add PATH for finding systemctl + + The 1.3.0 release adds a call to systemctl fails for it's in /usr/bin. + + [root@localhost nfs-utils]# start-statd + /usr/sbin/start-statd: line 9: systemctl: command not found + Statd service already running! + + Reported-by: Allan Duncan + Signed-off-by: Kinglong Mee + Signed-off-by: Steve Dickson + +diff --git a/utils/statd/start-statd b/utils/statd/start-statd +index cde3583..8ac3798 100644 +--- a/utils/statd/start-statd ++++ b/utils/statd/start-statd +@@ -4,7 +4,7 @@ + # /var/run/rpc.statd.pid). + # It should run statd with whatever flags are apropriate for this + # site. +-PATH=/sbin:/usr/sbin ++PATH="/sbin:/usr/sbin:/bin:/usr/bin" + if systemctl start statd.service + then : + else diff --git a/SOURCES/nfs-utils-1.3.0-nfsclient-after.patch b/SOURCES/nfs-utils-1.3.0-nfsclient-after.patch new file mode 100644 index 0000000..2fddcd8 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-nfsclient-after.patch @@ -0,0 +1,12 @@ +diff -up rhel7/systemd/nfs-client.target.orig rhel7/systemd/nfs-client.target +--- rhel7/systemd/nfs-client.target.orig 2014-03-25 11:12:07.000000000 -0400 ++++ rhel7/systemd/nfs-client.target 2014-09-29 11:16:15.470237681 -0400 +@@ -7,7 +7,7 @@ Wants=remote-fs-pre.target + # start that on demand if needed. + Wants=rpc-gssd.service rpc-svcgssd.service + Wants=nfs-blkmap.service rpc-statd-notify.service +-Before=rpc-gssd.service rpc-svcgssd.service nfs-blkmap.service ++After=rpc-gssd.service rpc-svcgssd.service nfs-blkmap.service + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/nfs-utils-1.3.0-nfsiostat-output.patch b/SOURCES/nfs-utils-1.3.0-nfsiostat-output.patch new file mode 100644 index 0000000..21c1642 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-nfsiostat-output.patch @@ -0,0 +1,74 @@ +commit a4793601381656a64abe20ed8c2242f0eb2496e6 +Author: Jan Chaloupka +Date: Mon Jun 16 09:47:32 2014 -0400 + + nfsiostat: Document the output columns in the manpage + + Signed-off-by: Steve Dickson + +diff --git a/tools/nfs-iostat/nfsiostat.man b/tools/nfs-iostat/nfsiostat.man +index 3ec245d..b477a9a 100644 +--- a/tools/nfs-iostat/nfsiostat.man ++++ b/tools/nfs-iostat/nfsiostat.man +@@ -38,6 +38,61 @@ If one or more + .I + names are specified, statistics for only these mount points will + be displayed. Otherwise, all NFS mount points on the client are listed. ++.TP ++The meaning of each column of \fBnfsiostat\fR's output is the following: ++.RS 8 ++- \fBop/s\fR ++.RS ++This is the number of operations per second. ++.RS ++.RE ++.RE ++.RE ++.RS 8 ++- \fBrpc bklog\fR ++.RS ++This is the length of the backlog queue. ++.RE ++.RE ++.RE ++.RS 8 ++- \fBkB/s\fR ++.RS ++This is the number of kB written/read per second. ++.RE ++.RE ++.RE ++.RS 8 ++- \fBkB/op\fR ++.RS ++This is the number of kB written/read per each operation. ++.RE ++.RE ++.RE ++.RS 8 ++- \fBretrans\fR ++.RS ++This is the number of retransmissions. ++.RE ++.RE ++.RE ++.RS 8 ++- \fBavg RTT (ms)\fR ++.RS ++This is the duration from the time that client's kernel sends the RPC request until the time it receives the reply. ++.RE ++.RE ++.RE ++.RS 8 ++- \fBavg exe (ms)\fR ++.RS ++This is the duration from the time that NFS client does the RPC request to its kernel until the RPC request is completed, this includes the RTT time above. ++.RE ++.RE ++.RE ++.TP ++Note that if an interval is used as argument to \fBnfsiostat\fR, then the diffrence from previous interval will be displayed, otherwise the results will be from the time that the share was mounted. ++ + .SH OPTIONS + .TP + .B \-a " or " \-\-attr diff --git a/SOURCES/nfs-utils-1.3.0-rpcgssd-acceptor.patch b/SOURCES/nfs-utils-1.3.0-rpcgssd-acceptor.patch new file mode 100644 index 0000000..ae82c69 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-rpcgssd-acceptor.patch @@ -0,0 +1,398 @@ +diff -up nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig nfs-utils-1.3.0/utils/gssd/gssd_proc.c +--- nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig 2014-09-17 14:22:54.003055871 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gssd_proc.c 2014-09-17 14:36:02.917808209 -0400 +@@ -77,6 +77,7 @@ + #include "context.h" + #include "nfsrpc.h" + #include "nfslib.h" ++#include "gss_names.h" + + /* + * pollarray: +@@ -681,19 +682,25 @@ parse_enctypes(char *enctypes) + return 0; + } + +-static int ++static void + do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, +- gss_buffer_desc *context_token, OM_uint32 lifetime_rec) ++ gss_buffer_desc *context_token, OM_uint32 lifetime_rec, ++ gss_buffer_desc *acceptor) + { + char *buf = NULL, *p = NULL, *end = NULL; + unsigned int timeout = context_timeout; + unsigned int buf_size = 0; + +- printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); ++ printerr(1, "doing downcall: lifetime_rec=%u acceptor=%.*s\n", ++ lifetime_rec, acceptor->length, acceptor->value); + buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + +- sizeof(context_token->length) + context_token->length; ++ sizeof(context_token->length) + context_token->length + ++ sizeof(acceptor->length) + acceptor->length; + p = buf = malloc(buf_size); ++ if (!buf) ++ goto out_err; ++ + end = buf + buf_size; + + /* context_timeout set by -t option overrides context lifetime */ +@@ -704,14 +711,15 @@ do_downcall(int k5_fd, uid_t uid, struct + if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; + if (write_buffer(&p, end, &pd->pd_ctx_hndl)) goto out_err; + if (write_buffer(&p, end, context_token)) goto out_err; ++ if (write_buffer(&p, end, acceptor)) goto out_err; + + if (write(k5_fd, buf, p - buf) < p - buf) goto out_err; +- if (buf) free(buf); +- return 0; ++ free(buf); ++ return; + out_err: +- if (buf) free(buf); ++ free(buf); + printerr(1, "Failed to write downcall!\n"); +- return -1; ++ return; + } + + static int +@@ -1035,6 +1043,9 @@ process_krb5_upcall(struct clnt_info *cl + gss_cred_id_t gss_cred; + OM_uint32 maj_stat, min_stat, lifetime_rec; + pid_t pid; ++ gss_name_t gacceptor = GSS_C_NO_NAME; ++ gss_OID mech; ++ gss_buffer_desc acceptor = {0}; + + pid = fork(); + switch(pid) { +@@ -1175,15 +1186,24 @@ process_krb5_upcall(struct clnt_info *cl + goto out_return_error; + } + +- /* Grab the context lifetime to pass to the kernel. lifetime_rec +- * is set to zero on error */ +- maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, +- &lifetime_rec, NULL, NULL, NULL, NULL); +- +- if (maj_stat) +- printerr(1, "WARNING: Failed to inquire context for lifetme " +- "maj_stat %u\n", maj_stat); ++ /* Grab the context lifetime and acceptor name out of the ctx. */ ++ maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, &gacceptor, ++ &lifetime_rec, &mech, NULL, NULL, NULL); ++ ++ if (maj_stat != GSS_S_COMPLETE) { ++ printerr(1, "WARNING: Failed to inquire context " ++ "maj_stat (0x%x)\n", maj_stat); ++ lifetime_rec = 0; ++ } else { ++ get_hostbased_client_buffer(gacceptor, mech, &acceptor); ++ gss_release_name(&min_stat, &gacceptor); ++ } + ++ /* ++ * The serialization can mean turning pd.pd_ctx into a lucid context. If ++ * that happens then the pd.pd_ctx will be unusable, so we must never ++ * try to use it after this point. ++ */ + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { + printerr(0, "WARNING: Failed to serialize krb5 context for " + "user with uid %d for server %s\n", +@@ -1191,9 +1211,10 @@ process_krb5_upcall(struct clnt_info *cl + goto out_return_error; + } + +- do_downcall(fd, uid, &pd, &token, lifetime_rec); ++ do_downcall(fd, uid, &pd, &token, lifetime_rec, &acceptor); + + out: ++ gss_release_buffer(&min_stat, &acceptor); + if (token.value) + free(token.value); + #ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA +diff -up nfs-utils-1.3.0/utils/gssd/gss_names.c.orig nfs-utils-1.3.0/utils/gssd/gss_names.c +--- nfs-utils-1.3.0/utils/gssd/gss_names.c.orig 2014-09-17 14:35:16.646945303 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gss_names.c 2014-09-17 14:35:16.646945303 -0400 +@@ -0,0 +1,138 @@ ++/* ++ Copyright (c) 2000 The Regents of the University of Michigan. ++ All rights reserved. ++ ++ Copyright (c) 2002 Bruce Fields ++ ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions ++ are met: ++ ++ 1. Redistributions of source code must retain the above copyright ++ notice, this list of conditions and the following disclaimer. ++ 2. Redistributions in binary form must reproduce the above copyright ++ notice, this list of conditions and the following disclaimer in the ++ documentation and/or other materials provided with the distribution. ++ 3. Neither the name of the University nor the names of its ++ contributors may be used to endorse or promote products derived ++ from this software without specific prior written permission. ++ ++ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE ++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR ++ BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ++ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING ++ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++*/ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif /* HAVE_CONFIG_H */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "svcgssd.h" ++#include "gss_util.h" ++#include "err_util.h" ++#include "context.h" ++#include "misc.h" ++#include "gss_oids.h" ++#include "svcgssd_krb5.h" ++ ++static int ++get_krb5_hostbased_name(gss_buffer_desc *name, char **hostbased_name) ++{ ++ char *p, *sname = NULL; ++ if (strchr(name->value, '@') && strchr(name->value, '/')) { ++ if ((sname = calloc(name->length, 1)) == NULL) { ++ printerr(0, "ERROR: get_krb5_hostbased_name failed " ++ "to allocate %d bytes\n", name->length); ++ return -1; ++ } ++ /* read in name and instance and replace '/' with '@' */ ++ sscanf(name->value, "%[^@]", sname); ++ p = strrchr(sname, '/'); ++ if (p == NULL) { /* The '@' preceeded the '/' */ ++ free(sname); ++ return -1; ++ } ++ *p = '@'; ++ } ++ *hostbased_name = sname; ++ return 0; ++} ++ ++int ++get_hostbased_client_name(gss_name_t client_name, gss_OID mech, ++ char **hostbased_name) ++{ ++ u_int32_t maj_stat, min_stat; ++ gss_buffer_desc name; ++ gss_OID name_type = GSS_C_NO_OID; ++ char *cname; ++ int res = -1; ++ ++ *hostbased_name = NULL; /* preset in case we fail */ ++ ++ /* Get the client's gss authenticated name */ ++ maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type); ++ if (maj_stat != GSS_S_COMPLETE) { ++ pgsserr("get_hostbased_client_name: gss_display_name", ++ maj_stat, min_stat, mech); ++ goto out_err; ++ } ++ if (name.length >= 0xffff) { /* don't overflow */ ++ printerr(0, "ERROR: get_hostbased_client_name: " ++ "received gss_name is too long (%d bytes)\n", ++ name.length); ++ goto out_rel_buf; ++ } ++ ++ /* For Kerberos, transform the NT_KRB5_PRINCIPAL name to ++ * an NT_HOSTBASED_SERVICE name */ ++ if (g_OID_equal(&krb5oid, mech)) { ++ if (get_krb5_hostbased_name(&name, &cname) == 0) ++ *hostbased_name = cname; ++ } else { ++ printerr(1, "WARNING: unknown/unsupport mech OID\n"); ++ } ++ ++ res = 0; ++out_rel_buf: ++ gss_release_buffer(&min_stat, &name); ++out_err: ++ return res; ++} ++ ++void ++get_hostbased_client_buffer(gss_name_t client_name, gss_OID mech, ++ gss_buffer_t buf) ++{ ++ char *hname; ++ ++ if (!get_hostbased_client_name(client_name, mech, &hname)) { ++ buf->length = strlen(hname) + 1; ++ buf->value = hname; ++ } else { ++ buf->length = 0; ++ buf->value = NULL; ++ } ++} +diff -up nfs-utils-1.3.0/utils/gssd/gss_names.h.orig nfs-utils-1.3.0/utils/gssd/gss_names.h +--- nfs-utils-1.3.0/utils/gssd/gss_names.h.orig 2014-09-17 14:35:16.646945303 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gss_names.h 2014-09-17 14:35:16.646945303 -0400 +@@ -0,0 +1,36 @@ ++/* ++ Copyright (c) 2000 The Regents of the University of Michigan. ++ All rights reserved. ++ ++ Copyright (c) 2002 Bruce Fields ++ ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions ++ are met: ++ ++ 1. Redistributions of source code must retain the above copyright ++ notice, this list of conditions and the following disclaimer. ++ 2. Redistributions in binary form must reproduce the above copyright ++ notice, this list of conditions and the following disclaimer in the ++ documentation and/or other materials provided with the distribution. ++ 3. Neither the name of the University nor the names of its ++ contributors may be used to endorse or promote products derived ++ from this software without specific prior written permission. ++ ++ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE ++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR ++ BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ++ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING ++ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++*/ ++ ++extern int get_hostbased_client_name(gss_name_t client_name, gss_OID mech, ++ char **hostbased_name); ++extern void get_hostbased_client_buffer(gss_name_t client_name, ++ gss_OID mech, gss_buffer_t buf); +diff -up nfs-utils-1.3.0/utils/gssd/Makefile.am.orig nfs-utils-1.3.0/utils/gssd/Makefile.am +--- nfs-utils-1.3.0/utils/gssd/Makefile.am.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/utils/gssd/Makefile.am 2014-09-17 14:35:16.645945284 -0400 +@@ -18,11 +18,13 @@ COMMON_SRCS = \ + context_lucid.c \ + gss_util.c \ + gss_oids.c \ ++ gss_names.c \ + err_util.c \ + \ + context.h \ + err_util.h \ + gss_oids.h \ ++ gss_names.h \ + gss_util.h + + gssd_SOURCES = \ +diff -up nfs-utils-1.3.0/utils/gssd/svcgssd_proc.c.orig nfs-utils-1.3.0/utils/gssd/svcgssd_proc.c +--- nfs-utils-1.3.0/utils/gssd/svcgssd_proc.c.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/utils/gssd/svcgssd_proc.c 2014-09-17 14:35:16.646945303 -0400 +@@ -59,6 +59,7 @@ + #include "misc.h" + #include "gss_oids.h" + #include "svcgssd_krb5.h" ++#include "gss_names.h" + + extern char * mech2file(gss_OID mech); + #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel" +@@ -315,71 +316,6 @@ print_hexl(const char *description, unsi + } + #endif + +-static int +-get_krb5_hostbased_name (gss_buffer_desc *name, char **hostbased_name) +-{ +- char *p, *sname = NULL; +- if (strchr(name->value, '@') && strchr(name->value, '/')) { +- if ((sname = calloc(name->length, 1)) == NULL) { +- printerr(0, "ERROR: get_krb5_hostbased_name failed " +- "to allocate %d bytes\n", name->length); +- return -1; +- } +- /* read in name and instance and replace '/' with '@' */ +- sscanf(name->value, "%[^@]", sname); +- p = strrchr(sname, '/'); +- if (p == NULL) { /* The '@' preceeded the '/' */ +- free(sname); +- return -1; +- } +- *p = '@'; +- } +- *hostbased_name = sname; +- return 0; +-} +- +-static int +-get_hostbased_client_name(gss_name_t client_name, gss_OID mech, +- char **hostbased_name) +-{ +- u_int32_t maj_stat, min_stat; +- gss_buffer_desc name; +- gss_OID name_type = GSS_C_NO_OID; +- char *cname; +- int res = -1; +- +- *hostbased_name = NULL; /* preset in case we fail */ +- +- /* Get the client's gss authenticated name */ +- maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type); +- if (maj_stat != GSS_S_COMPLETE) { +- pgsserr("get_hostbased_client_name: gss_display_name", +- maj_stat, min_stat, mech); +- goto out_err; +- } +- if (name.length >= 0xffff) { /* don't overflow */ +- printerr(0, "ERROR: get_hostbased_client_name: " +- "received gss_name is too long (%d bytes)\n", +- name.length); +- goto out_rel_buf; +- } +- +- /* For Kerberos, transform the NT_KRB5_PRINCIPAL name to +- * an NT_HOSTBASED_SERVICE name */ +- if (g_OID_equal(&krb5oid, mech)) { +- if (get_krb5_hostbased_name(&name, &cname) == 0) +- *hostbased_name = cname; +- } else { +- printerr(1, "WARNING: unknown/unsupport mech OID\n"); +- } +- +- res = 0; +-out_rel_buf: +- gss_release_buffer(&min_stat, &name); +-out_err: +- return res; +-} +- + void + handle_nullreq(FILE *f) { + /* XXX initialize to a random integer to reduce chances of unnecessary diff --git a/SOURCES/nfs-utils-1.3.0-rpcgssd-errno-typo.patch b/SOURCES/nfs-utils-1.3.0-rpcgssd-errno-typo.patch new file mode 100644 index 0000000..a5e6a5f --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-rpcgssd-errno-typo.patch @@ -0,0 +1,21 @@ +commit 404c79c81df0548d50216cddc7d2c4ebfca45c45 +Author: Steve Dickson +Date: Fri Jul 25 10:48:16 2014 -0400 + + gssd: Fixed errno typo in get_servername() + + Signed-off-by: Steve Dickson + +diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c +index 40ff188..9925dab 100644 +--- a/utils/gssd/gssd_proc.c ++++ b/utils/gssd/gssd_proc.c +@@ -218,7 +218,7 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr) + NI_NAMEREQD); + if (err) { + printerr(0, "ERROR: unable to resolve %s to hostname: %s\n", +- addr, err == EAI_SYSTEM ? strerror(err) : ++ addr, err == EAI_SYSTEM ? strerror(errno) : + gai_strerror(err)); + return NULL; + } diff --git a/SOURCES/nfs-utils-1.3.0-rpcgssd-noerror-message.patch b/SOURCES/nfs-utils-1.3.0-rpcgssd-noerror-message.patch new file mode 100644 index 0000000..54978b1 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-rpcgssd-noerror-message.patch @@ -0,0 +1,44 @@ +commit fe91df5e1d115015b31bb055ef0b4d5dfdc0635c +Author: Steve Dickson +Date: Tue Jul 8 10:29:52 2014 -0400 + + gssd: Error out when rpc_pipefs directory is empty + + When there is no kernel modules loaded the rpc_pipefs + directory is empty, which cause rpc.gssd to silently + exit. + + This patch adds a check to see if the topdirs_list + is empty. If so error out without dropping a core. + + Signed-off-by: Steve Dickson + +diff --git a/utils/gssd/gssd_main_loop.c b/utils/gssd/gssd_main_loop.c +index 9970028..6946ab6 100644 +--- a/utils/gssd/gssd_main_loop.c ++++ b/utils/gssd/gssd_main_loop.c +@@ -173,6 +173,10 @@ topdirs_init_list(void) + if (ret) + goto out_err; + } ++ if (TAILQ_EMPTY(&topdirs_list)) { ++ printerr(0, "ERROR: rpc_pipefs directory '%s' is empty!\n", pipefs_dir); ++ return -1; ++ } + closedir(pipedir); + return 0; + out_err: +@@ -233,9 +237,10 @@ gssd_run() + sigaddset(&set, DNOTIFY_SIGNAL); + sigprocmask(SIG_UNBLOCK, &set, NULL); + +- if (topdirs_init_list() != 0) +- return; +- ++ if (topdirs_init_list() != 0) { ++ /* Error msg is already printed */ ++ exit(1); ++ } + init_client_list(); + + printerr(1, "beginning poll\n"); diff --git a/SOURCES/nfs-utils-1.3.0-rpcgssd-timeout.patch b/SOURCES/nfs-utils-1.3.0-rpcgssd-timeout.patch new file mode 100644 index 0000000..dba38e9 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-rpcgssd-timeout.patch @@ -0,0 +1,82 @@ +diff -up nfs-utils-1.3.0/utils/gssd/gssd.c.orig nfs-utils-1.3.0/utils/gssd/gssd.c +--- nfs-utils-1.3.0/utils/gssd/gssd.c.orig 2014-09-17 13:00:22.702932025 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gssd.c 2014-09-17 13:00:26.575004049 -0400 +@@ -64,6 +64,7 @@ char *ccachesearch[GSSD_MAX_CCACHE_SEARC + int use_memcache = 0; + int root_uses_machine_creds = 1; + unsigned int context_timeout = 0; ++unsigned int rpc_timeout = 5; + char *preferred_realm = NULL; + int pipefds[2] = { -1, -1 }; + +@@ -105,7 +106,7 @@ main(int argc, char *argv[]) + char *progname; + + memset(ccachesearch, 0, sizeof(ccachesearch)); +- while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) { ++ while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:T:R:")) != -1) { + switch (opt) { + case 'f': + fg = 1; +@@ -143,6 +144,9 @@ main(int argc, char *argv[]) + case 't': + context_timeout = atoi(optarg); + break; ++ case 'T': ++ rpc_timeout = atoi(optarg); ++ break; + case 'R': + preferred_realm = strdup(optarg); + break; +diff -up nfs-utils-1.3.0/utils/gssd/gssd.h.orig nfs-utils-1.3.0/utils/gssd/gssd.h +--- nfs-utils-1.3.0/utils/gssd/gssd.h.orig 2014-09-17 13:00:22.702932025 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gssd.h 2014-09-17 13:00:26.575004049 -0400 +@@ -66,6 +66,7 @@ extern char *ccachesearch[]; + extern int use_memcache; + extern int root_uses_machine_creds; + extern unsigned int context_timeout; ++extern unsigned int rpc_timeout; + extern char *preferred_realm; + extern int pipefds[2]; + +diff -up nfs-utils-1.3.0/utils/gssd/gssd.man.orig nfs-utils-1.3.0/utils/gssd/gssd.man +--- nfs-utils-1.3.0/utils/gssd/gssd.man.orig 2014-09-17 13:00:22.702932025 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gssd.man 2014-09-17 13:00:26.575004049 -0400 +@@ -289,6 +289,14 @@ new kernel contexts to be negotiated aft + seconds, which allows changing Kerberos tickets and identities frequently. + The default is no explicit timeout, which means the kernel context will live + the lifetime of the Kerberos service ticket used in its creation. ++.TP ++.B -T timeout ++Timeout, in seconds, to create an RPC connection with a server while ++establishing an authenticated gss context for a user. ++The default timeout is set to 5 seconds. ++If you get messages like "WARNING: can't create tcp rpc_clnt to server ++%servername% for user with uid %uid%: RPC: Remote system error - ++Connection timed out", you should consider an increase of this timeout. + .SH SEE ALSO + .BR rpc.svcgssd (8), + .BR kerberos (1), +diff -up nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig nfs-utils-1.3.0/utils/gssd/gssd_proc.c +--- nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig 2014-09-17 13:00:22.702932025 -0400 ++++ nfs-utils-1.3.0/utils/gssd/gssd_proc.c 2014-09-17 13:00:26.575004049 -0400 +@@ -842,7 +842,7 @@ create_auth_rpc_client(struct clnt_info + OM_uint32 min_stat; + char rpc_errmsg[1024]; + int protocol; +- struct timeval timeout = {5, 0}; ++ struct timeval timeout; + struct sockaddr *addr = (struct sockaddr *) &clp->addr; + socklen_t salen; + +@@ -910,6 +910,10 @@ create_auth_rpc_client(struct clnt_info + if (!populate_port(addr, salen, clp->prog, clp->vers, protocol)) + goto out_fail; + ++ /* set the timeout according to the requested valued */ ++ timeout.tv_sec = (long) rpc_timeout; ++ timeout.tv_usec = (long) 0; ++ + rpc_clnt = nfs_get_rpcclient(addr, salen, protocol, clp->prog, + clp->vers, &timeout); + if (!rpc_clnt) { diff --git a/SOURCES/nfs-utils-1.3.0-startstatd-systemd.patch b/SOURCES/nfs-utils-1.3.0-startstatd-systemd.patch new file mode 100644 index 0000000..778908f --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-startstatd-systemd.patch @@ -0,0 +1,14 @@ +diff -up nfs-utils-1.3.0/utils/statd/start-statd.orig nfs-utils-1.3.0/utils/statd/start-statd +--- nfs-utils-1.3.0/utils/statd/start-statd.orig 2014-09-30 09:17:31.000000000 -0400 ++++ nfs-utils-1.3.0/utils/statd/start-statd 2014-09-30 09:15:01.000000000 -0400 +@@ -5,8 +5,9 @@ + # It should run statd with whatever flags are apropriate for this + # site. + PATH="/sbin:/usr/sbin:/bin:/usr/bin" +-if systemctl start statd.service ++if systemctl start rpc-statd.service + then : + else + exec rpc.statd --no-notify + fi ++ diff --git a/SOURCES/nfs-utils-1.3.0-statd-callback.patch b/SOURCES/nfs-utils-1.3.0-statd-callback.patch new file mode 100644 index 0000000..dbaf087 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-statd-callback.patch @@ -0,0 +1,86 @@ +diff -up nfs-utils-1.3.0/utils/statd/callback.c.orig nfs-utils-1.3.0/utils/statd/callback.c +--- nfs-utils-1.3.0/utils/statd/callback.c.orig 2014-09-17 13:39:01.009781560 -0400 ++++ nfs-utils-1.3.0/utils/statd/callback.c 2014-09-17 13:39:07.217896069 -0400 +@@ -10,11 +10,13 @@ + #include + #endif + ++#include + #include + + #include "rpcmisc.h" + #include "statd.h" + #include "notlist.h" ++#include "ha-callout.h" + + /* Callback notify list. */ + /* notify_list *cbnl = NULL; ... never used */ +@@ -87,6 +89,13 @@ sm_notify_1_svc(struct stat_chge *argp, + xlog(D_CALL, "Received SM_NOTIFY from %s, state: %d", + argp->mon_name, argp->state); + ++ if (!statd_present_address(sap, ip_addr, sizeof(ip_addr))) { ++ xlog_warn("Unrecognized sender address"); ++ return ((void *) &result); ++ } ++ ++ ha_callout("sm-notify", argp->mon_name, ip_addr, argp->state); ++ + /* quick check - don't bother if we're not monitoring anyone */ + if (rtnl == NULL) { + xlog_warn("SM_NOTIFY from %s while not monitoring any hosts", +@@ -94,11 +103,6 @@ sm_notify_1_svc(struct stat_chge *argp, + return ((void *) &result); + } + +- if (!statd_present_address(sap, ip_addr, sizeof(ip_addr))) { +- xlog_warn("Unrecognized sender address"); +- return ((void *) &result); +- } +- + /* okir change: statd doesn't remove the remote host from its + * internal monitor list when receiving an SM_NOTIFY call from + * it. Lockd will want to continue monitoring the remote host +diff -up nfs-utils-1.3.0/utils/statd/statd.man.orig nfs-utils-1.3.0/utils/statd/statd.man +--- nfs-utils-1.3.0/utils/statd/statd.man.orig 2014-09-17 13:39:01.009781560 -0400 ++++ nfs-utils-1.3.0/utils/statd/statd.man 2014-09-17 13:39:07.217896069 -0400 +@@ -346,7 +346,8 @@ points due to inactivity. + .SS High-availability callouts + .B rpc.statd + can exec a special callout program during processing of +-successful SM_MON, SM_UNMON, and SM_UNMON_ALL requests. ++successful SM_MON, SM_UNMON, and SM_UNMON_ALL requests, ++or when it receives SM_NOTIFY. + Such a program may be used in High Availability NFS (HA-NFS) + environments to track lock state that may need to be migrated after + a system reboot. +@@ -357,15 +358,26 @@ option. + The program is run with 3 arguments: + The first is either + .B add-client +-or + .B del-client ++or ++.B sm-notify + depending on the reason for the callout. + The second is the + .I mon_name + of the monitored peer. + The third is the +-.I caller_name +-of the requesting lock manager. ++.I caller_name ++of the requesting lock manager for ++.B add-client ++or ++.B del-client ++, otherwise it is ++.I IP_address ++of the caller sending SM_NOTIFY. ++The forth is the ++.I state_value ++in the SM_NOTIFY request. ++ + .SS IPv6 and TI-RPC support + TI-RPC is a pre-requisite for supporting NFS on IPv6. + If TI-RPC support is built into diff --git a/SOURCES/nfs-utils-1.3.0-systemd-args.patch b/SOURCES/nfs-utils-1.3.0-systemd-args.patch new file mode 100644 index 0000000..45a0a58 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-systemd-args.patch @@ -0,0 +1,9 @@ +diff -up nfs-utils-1.3.0/systemd/nfs-blkmap.service.orig nfs-utils-1.3.0/systemd/nfs-blkmap.service +--- nfs-utils-1.3.0/systemd/nfs-blkmap.service.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/nfs-blkmap.service 2014-12-09 13:25:56.145156424 -0500 +@@ -13,4 +13,4 @@ PartOf=nfs-utils.service + [Service] + Type=forking + PIDFile=/var/run/blkmapd.pid +-ExecStart=/usr/sbin/blkmapd ++ExecStart=/usr/sbin/blkmapd $BLKMAPDARGS diff --git a/SOURCES/nfs-utils-1.3.0-systemd-ha-nonotify.patch b/SOURCES/nfs-utils-1.3.0-systemd-ha-nonotify.patch new file mode 100644 index 0000000..888a181 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-systemd-ha-nonotify.patch @@ -0,0 +1,13 @@ +diff -up nfs-utils-1.3.0/systemd/rpc-statd-notify.service.org nfs-utils-1.3.0/systemd/rpc-statd-notify.service +--- nfs-utils-1.3.0/systemd/rpc-statd-notify.service.org 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/rpc-statd-notify.service 2015-01-22 11:13:28.000000000 -0500 +@@ -3,6 +3,9 @@ Description=Notify NFS peers of a restar + Requires=network-online.target + After=network-online.target nss-lookup.target + ++# Do not start up in HA environments ++ConditionPathExists=!/var/lib/nfs/statd/sm.ha ++ + # if we run an nfs server, it needs to be running before we + # tell clients that it has restarted. + After=nfs-server.service diff --git a/SOURCES/nfs-utils-1.3.0-systemd-idmapd.patch b/SOURCES/nfs-utils-1.3.0-systemd-idmapd.patch new file mode 100644 index 0000000..fde4aa1 --- /dev/null +++ b/SOURCES/nfs-utils-1.3.0-systemd-idmapd.patch @@ -0,0 +1,57 @@ +diff -up nfs-utils-1.3.0/systemd/nfs-idmapd.service.orig nfs-utils-1.3.0/systemd/nfs-idmapd.service +--- nfs-utils-1.3.0/systemd/nfs-idmapd.service.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/nfs-idmapd.service 2015-01-15 08:04:55.291478000 -0500 +@@ -1,7 +1,7 @@ + [Unit] + Description=NFSv4 ID-name mapping service + +-PartOf=nfs-utils.service ++BindsTo=nfs-server.service + + Wants=nfs-config.service + After=nfs-config.service +diff -up nfs-utils-1.3.0/systemd/nfs-mountd.service.orig nfs-utils-1.3.0/systemd/nfs-mountd.service +--- nfs-utils-1.3.0/systemd/nfs-mountd.service.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/nfs-mountd.service 2015-01-15 08:04:55.300477000 -0500 +@@ -3,8 +3,7 @@ Description=NFS Mount Daemon + Requires=proc-fs-nfsd.mount + After=proc-fs-nfsd.mount + After=network.target +-PartOf=nfs-server.service +-PartOf=nfs-utils.service ++BindsTo=nfs-server.service + + Wants=nfs-config.service + After=nfs-config.service +diff -up nfs-utils-1.3.0/systemd/rpc-statd-notify.service.orig nfs-utils-1.3.0/systemd/rpc-statd-notify.service +--- nfs-utils-1.3.0/systemd/rpc-statd-notify.service.orig 2014-03-25 11:12:07.000000000 -0400 ++++ nfs-utils-1.3.0/systemd/rpc-statd-notify.service 2015-01-15 08:06:17.251900000 -0500 +@@ -14,6 +14,5 @@ After=nfs-config.service + + [Service] + EnvironmentFile=-/run/sysconfig/nfs-utils +-Type=oneshot +-RemainAfterExit=yes +-ExecStart=-/usr/sbin/sm-notify -d $SMNOTIFYARGS ++Type=forking ++ExecStart=-/usr/sbin/sm-notify $SMNOTIFYARGS +diff -up nfs-utils-1.3.0/utils/statd/start-statd.orig nfs-utils-1.3.0/utils/statd/start-statd +--- nfs-utils-1.3.0/utils/statd/start-statd.orig 2015-01-15 08:03:24.456789000 -0500 ++++ nfs-utils-1.3.0/utils/statd/start-statd 2015-01-15 08:05:34.612638000 -0500 +@@ -5,9 +5,12 @@ + # It should run statd with whatever flags are apropriate for this + # site. + PATH="/sbin:/usr/sbin:/bin:/usr/bin" +-if systemctl start rpc-statd.service +-then : +-else +- exec rpc.statd --no-notify ++ ++# First try systemd if it's installed. ++if [ -d /run/systemd/system ]; then ++ # Quit only if the call worked. ++ systemctl start rpc-statd.service && exit + fi + ++# Fall back to launching it ourselves. ++exec rpc.statd --no-notify diff --git a/SOURCES/nfs-utils_env.sh b/SOURCES/nfs-utils_env.sh new file mode 100644 index 0000000..e488596 --- /dev/null +++ b/SOURCES/nfs-utils_env.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +# +# Extract configuration from /etc/sysconfig/nfs and write +# environment variables to /run/sysconfig/nfs-utils to be +# used by the systemd nfs-config service +# + +nfs_config=/etc/sysconfig/nfs +if test -r $nfs_config; then + . $nfs_config +fi + +[ -n "$LOCKDARG" ] && /sbin/modprobe lockd $LOCKDARG +if [ -n "$LOCKD_TCPPORT" -o -n "$LOCKD_UDPPORT" ]; then + [ -z "$LOCKDARG" ] && /sbin/modprobe lockd $LOCKDARG + [ -n "$LOCKD_TCPPORT" ] && \ + /sbin/sysctl -w fs.nfs.nlm_tcpport=$LOCKD_TCPPORT >/dev/null 2>&1 + [ -n "$LOCKD_UDPPORT" ] && \ + /sbin/sysctl -w fs.nfs.nlm_udpport=$LOCKD_UDPPORT >/dev/null 2>&1 +fi + +if [ -n "$NFSD_V4_GRACE" ]; then + grace="-G $NFSD_V4_GRACE" +fi + +if [ -n "$NFSD_V4_LEASE" ]; then + lease="-L $NFSD_V4_LEASE" +fi + +if [ -n "$RPCNFSDCOUNT" ]; then + nfsds=$RPCNFSDCOUNT +else + nfsds=8 +fi + +if [ -n "$RPCNFSDARGS" ]; then + nfsdargs="$RPCNFSDARGS $grace $lease $nfsds" +else + nfsdargs="$grace $lease $nfsds" +fi + +mkdir -p /run/sysconfig +{ +echo RPCNFSDARGS=\"$nfsdargs\" +echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\" +echo STATDARGS=\"$STATDARG\" +echo SMNOTIFYARGS=\"$SMNOTIFYARGS\" +echo RPCIDMAPDARGS=\"$RPCIDMAPDARGS\" +echo GSSDARGS=\"$RPCGSSDARGS\" +echo SVCGSSDARGS=\"$RPCSVCGSSDARGS\" +echo BLKMAPDARGS=\"$BLKMAPDARGS\" +echo GSS_USE_PROXY=\"$GSS_USE_PROXY\" +} > /run/sysconfig/nfs-utils diff --git a/SOURCES/nfs.sysconfig b/SOURCES/nfs.sysconfig index 3f959db..7468ea9 100644 --- a/SOURCES/nfs.sysconfig +++ b/SOURCES/nfs.sysconfig @@ -1,6 +1,7 @@ # -# Optinal options passed to rquotad -RPCRQUOTADOPTS="" +# Note: For new values to take effect the nfs-config service +# has to be restarted with the following command: +# systemctl restart nfs-config # # Optional arguments passed to in-kernel lockd #LOCKDARG= @@ -13,23 +14,31 @@ RPCRQUOTADOPTS="" RPCNFSDARGS="" # Number of nfs server processes to be started. # The default is 8. -RPCNFSDCOUNT=8 +#RPCNFSDCOUNT=16 +# # Set V4 grace period in seconds #NFSD_V4_GRACE=90 # +# Set V4 lease period in seconds +#NFSD_V4_LEASE=90 +# # Optional arguments passed to rpc.mountd. See rpc.mountd(8) RPCMOUNTDOPTS="" # # Optional arguments passed to rpc.statd. See rpc.statd(8) STATDARG="" # +# Optional arguments passed to sm-notify. See sm-notify(8) +SMNOTIFYARGS="" +# # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8) RPCIDMAPDARGS="" # # Optional arguments passed to rpc.gssd. See rpc.gssd(8) RPCGSSDARGS="" +# # Enable usage of gssproxy. See gssproxy-mech(8). -GSS_USE_PROXY="no" +GSS_USE_PROXY="yes" # # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) RPCSVCGSSDARGS="" diff --git a/SOURCES/nfs.target b/SOURCES/nfs.target deleted file mode 100644 index 6c3262a..0000000 --- a/SOURCES/nfs.target +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Network File System Server -Requires=var-lib-nfs-rpc_pipefs.mount proc-fs-nfsd.mount rpcbind.service -After=network.target named.service - -[Install] -WantedBy=multi-user.target diff --git a/SOURCES/proc-fs-nfsd.mount b/SOURCES/proc-fs-nfsd.mount deleted file mode 100644 index e5ee6fb..0000000 --- a/SOURCES/proc-fs-nfsd.mount +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=RPC Pipe File System -DefaultDependencies=no - -[Mount] -What=sunrpc -Where=/proc/fs/nfsd -Type=nfsd diff --git a/SOURCES/var-lib-nfs-rpc_pipefs.mount b/SOURCES/var-lib-nfs-rpc_pipefs.mount deleted file mode 100644 index d27e1a2..0000000 --- a/SOURCES/var-lib-nfs-rpc_pipefs.mount +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=RPC Pipe File System -DefaultDependencies=no - -[Mount] -What=sunrpc -Where=/var/lib/nfs/rpc_pipefs -Type=rpc_pipefs diff --git a/SPECS/nfs-utils.spec b/SPECS/nfs-utils.spec index a36f6fb..527fc93 100644 --- a/SPECS/nfs-utils.spec +++ b/SPECS/nfs-utils.spec @@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser Name: nfs-utils URL: http://sourceforge.net/projects/nfs Version: 1.3.0 -Release: 0%{?dist} +Release: 0.8%{?dist} Epoch: 1 # group all 32bit related archs @@ -10,30 +10,31 @@ Epoch: 1 Source0: https://www.kernel.org/pub/linux/utils/nfs-utils/%{version}/%{name}-%{version}.tar.xz -Source9: id_resolver.conf -Source10: nfs.sysconfig -Source11: nfs-lock.service -Source12: nfs-secure.service -Source13: nfs-secure-server.service -Source14: nfs-server.service -Source15: nfs-blkmap.service -Source16: nfs-rquotad.service -Source17: nfs-mountd.service -Source18: nfs-idmap.service -Source19: nfs.target -%define nfs_services %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} -# -# Services that need to be restarted. -# -%define nfs_start_services %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE18} %{SOURCE19} - -Source20: var-lib-nfs-rpc_pipefs.mount -Source21: proc-fs-nfsd.mount -%define nfs_automounts %{SOURCE20} %{SOURCE21} +Source1: id_resolver.conf +Source2: nfs.sysconfig +Source3: nfs-utils_env.sh -Source50: nfs-lock.preconfig -Source51: nfs-server.preconfig -%define nfs_configs %{SOURCE50} %{SOURCE51} +# +# RHEL7.1 +# +Patch001: nfs-utils-1.3.0-rpcgssd-timeout.patch +Patch002: nfs-utils-1.3.0-statd-callback.patch +Patch003: nfs-utils-1.3.0-mountd-start-statd-path.patch +Patch004: nfs-utils-1.3.0-rpcgssd-noerror-message.patch +Patch005: nfs-utils-1.3.0-rpcgssd-acceptor.patch +Patch006: nfs-utils-1.3.0-exportfs-NULL-pointer-test.patch +Patch007: nfs-utils-1.3.0-rpcgssd-errno-typo.patch +Patch008: nfs-utils-1.3.0-nfsiostat-output.patch +Patch009: nfs-utils-1.3.0-nfsclient-after.patch +Patch010: nfs-utils-1.3.0-startstatd-systemd.patch +Patch011: nfs-utils-1.3.0-gssproxy.patch +Patch012: nfs-utils-1.3.0-systemd-args.patch +Patch013: nfs-utils-1.3.0-libmount-umount-verbose.patch +Patch014: nfs-utils-1.3.0-mountd-dos.patch +Patch015: nfs-utils-1.3.0-exportfs-ipv6-arg.patch +Patch016: nfs-utils-1.3.0-exportfs-noreaddirplus.patch +Patch017: nfs-utils-1.3.0-systemd-idmapd.patch +Patch018: nfs-utils-1.3.0-systemd-ha-nonotify.patch Patch100: nfs-utils-1.2.1-statdpath-man.patch Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch @@ -74,7 +75,9 @@ Requires: libtirpc >= 0.2.3-1 libblkid libcap libmount Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -Conflicts: gssproxy < 0.3.0-0 + +Requires: gssproxy >= 0.3.0-0 +Conflicts: gssproxy < 0.3.0-10 %description The nfs-utils package provides a daemon for the kernel NFS server and @@ -91,6 +94,42 @@ This package also contains the mount.nfs and umount.nfs program. %prep %setup -q +# 1009528 - have a configurable connection timeout for the rpcgssd service +%patch001 -p1 +# 1108105 - "Adding callback on sm_notify" into nfs-utils on RHEL7 +%patch002 -p1 +# 1116794 - wrong PATH in /usr/sbin/start-statd +%patch003 -p1 +# 1117384 - rpc.gssd always start fail, and no enough log/message to user +%patch004 -p1 +# 1088011 - kerberized NFSv4.0 backchannel requests aren't authenticated properly by client +%patch005 -p1 +# 1083018 - code defect support/export/hostname.c: host_pton() NULL pointer... +%patch006 -p1 +# 1082480 - [gssd] code defects in get_servername().... +%patch007 -p1 +# 1109864 - Man pages are not explaining the output of nfsiostat +%patch008 -p1 +# 1144440 - Upgrade to latest upstream systemd scripts +%patch009 -p1 +%patch010 -p1 +# 1082746 - remove support for rpc.svcgssd +%patch011 -p1 +# 170364 - Typos in nfs-utils sysconfig files and associated script +%patch012 -p1 +# 923582 - umount -vvv not working +%patch013 -p1 +# 1163891 - rpc.mountd can be blocked by a bad client +%patch014 -p1 +# 1161490 - [exportfs] when export [$IPv6]:$expdir always random fail +%patch015 -p1 +# 1161458 - nfs-utils patch for Readdirplus / disable readdirplus +%patch016 -p1 +# 1159234 - ocf:heartbeat:nfsserver does not umount /var/lib/nfs on shared disk +%patch017 -p1 +# 1182692 - disable sm-notify on 'systemctl start nfs-server' no longer works +%patch018 -p1 + %patch100 -p1 %patch101 -p1 %patch102 -p1 @@ -108,9 +147,11 @@ PIE="-fpie" %endif export PIE +RELRO="-Wl,-z,relro,-z,now" + sh -x autogen.sh -CFLAGS="`echo $RPM_OPT_FLAGS $ARCH_OPT_FLAGS $PIE -D_FILE_OFFSET_BITS=64`" +CFLAGS="`echo $RPM_OPT_FLAGS $ARCH_OPT_FLAGS $PIE $RELRO -D_FILE_OFFSET_BITS=64`" %configure \ CFLAGS="$CFLAGS" \ CPPFLAGS="$DEFINES" \ @@ -129,7 +170,6 @@ mkdir -p $RPM_BUILD_ROOT%/sbin mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{_unitdir} mkdir -p $RPM_BUILD_ROOT%{_unitdir}/nfs.target.wants -mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/%{name}/scripts mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/request-key.d @@ -137,26 +177,35 @@ mkdir -p $RPM_BUILD_ROOT/lib/modprobe.d/ make DESTDIR=$RPM_BUILD_ROOT install install -s -m 755 tools/rpcdebug/rpcdebug $RPM_BUILD_ROOT%{_sbindir} install -m 644 utils/mount/nfsmount.conf $RPM_BUILD_ROOT%{_sysconfdir} -install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/request-key.d -install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/nfs +install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/request-key.d +install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/nfs -for service in %{nfs_services} ; do - install -m 644 $service $RPM_BUILD_ROOT%{_unitdir} +for file in systemd/*.service ; do + install -m 644 $file $RPM_BUILD_ROOT%{_unitdir} done -for service in %{nfs_automounts} ; do - install -m 644 $service $RPM_BUILD_ROOT%{_unitdir} +for file in systemd/*.target ; do + install -m 644 $file $RPM_BUILD_ROOT%{_unitdir} done -for config in %{nfs_configs} ; do - install -m 755 $config $RPM_BUILD_ROOT%{_libexecdir}/%{name}/scripts + +for file in systemd/*.mount ; do + install -m 644 $file $RPM_BUILD_ROOT%{_unitdir} done +mkdir -p $RPM_BUILD_ROOT/run/sysconfig +mkdir -p $RPM_BUILD_ROOT/usr/lib/systemd/scripts +install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/usr/lib/systemd/scripts/nfs-utils_env.sh + +# +# For backwards compatablity +# cd $RPM_BUILD_ROOT%{_unitdir} -ln -s nfs-idmap.service rpcidmapd.service -ln -s nfs-lock.service nfslock.service -ln -s nfs-secure-server.service rpcsvcgssd.service -ln -s nfs-secure.service rpcgssd.service ln -s nfs-server.service nfs.service +ln -s rpc-gssd.service nfs-secure.service +ln -s rpc-svcgssd.service nfs-secure-server.service +ln -s nfs-idmapd.service nfs-idmap.service +ln -s rpc-statd.service nfs-lock.service + mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/nfs/rpc_pipefs @@ -206,27 +255,18 @@ else fi %post -if [ $1 -eq 1 ]; then - # Package install, - /bin/systemctl enable nfs.target >/dev/null 2>&1 || : - /bin/systemctl enable nfs-lock.service >/dev/null 2>&1 || : - /bin/systemctl start nfs-lock.service >/dev/null 2>&1 || : -else - # Package upgrade - /bin/systemctl reenable nfs.target >/dev/null 2>&1 || : - if /bin/systemctl --quiet is-enabled nfs-lock.service ; then - /bin/systemctl reenable nfs-lock.service >/dev/null 2>&1 || : - fi -fi +%systemd_post nfs-client.target +%systemd_post nfs-config +%systemd_post nfs-server + # Make sure statd used the correct uid/gid. chown -R rpcuser:rpcuser /var/lib/nfs/statd %preun if [ $1 -eq 0 ]; then - # Package removal, not upgrade - for service in %(sed 's!\S*/!!g' <<< '%{nfs_start_services}') ; do - %systemd_preun $service - done + %systemd_preun nfs-client.target + %systemd_preun nfs-server.server + /usr/sbin/userdel rpcuser 2>/dev/null || : /usr/sbin/groupdel rpcuser 2>/dev/null || : /usr/sbin/userdel nfsnobody 2>/dev/null || : @@ -236,12 +276,9 @@ if [ $1 -eq 0 ]; then fi %postun -if [ $1 -ge 1 ]; then - # Package upgrade, not uninstall - for service in %(sed 's!\S*/!!g' <<< '%{nfs_start_services}') ; do - /bin/systemctl try-restart $service >/dev/null 2>&1 || : - done -fi +%systemd_postun_with_restart nfs-client.target +%systemd_postun_with_restart nfs-server + /bin/systemctl --system daemon-reload >/dev/null 2>&1 || : %triggerun -- nfs-utils < 1:1.2.9-0.5 @@ -250,15 +287,10 @@ fi %triggerun -- nfs-utils < 1:1.2.4-2 /bin/systemctl enable nfs-lock.service >/dev/null 2>&1 || : -if /sbin/chkconfig --level 3 nfs ; then - /bin/systemctl enable nfs-server.service >/dev/null 2>&1 || : -fi -if /sbin/chkconfig --level 3 rpcgssd ; then - /bin/systemctl enable nfs-secure.service >/dev/null 2>&1 || : -fi -if /sbin/chkconfig --level 3 rpcsvcgssd ; then - /bin/systemctl enable nfs-secure-server.service >/dev/null 2>&1 || : -fi + +%triggerin -- nfs-utils < 1:1.3.0-0.2 +/bin/systemctl stop rpc-svcgssd >/dev/null 2>&1 || : +/bin/systemctl enable nfs-client.target >/dev/null 2>&1 || : %files %defattr(-,root,root,-) @@ -268,15 +300,13 @@ fi %dir %{_sharedstatedir}/nfs/v4recovery %dir %{_sharedstatedir}/nfs/rpc_pipefs %dir %{_sharedstatedir}/nfs -%dir %{_libexecdir}/%{name}/scripts -%dir %{_libexecdir}/%{name} %dir %attr(700,rpcuser,rpcuser) %{_sharedstatedir}/nfs/statd %dir %attr(700,rpcuser,rpcuser) %{_sharedstatedir}/nfs/statd/sm %dir %attr(700,rpcuser,rpcuser) %{_sharedstatedir}/nfs/statd/sm.bak %config(noreplace) %attr(644,rpcuser,rpcuser) %{_sharedstatedir}/nfs/state -%config(noreplace) %{_sharedstatedir}/nfs/xtab -%config(noreplace) %{_sharedstatedir}/nfs/etab -%config(noreplace) %{_sharedstatedir}/nfs/rmtab +%config(noreplace) %verify(not md5 size mtime) %{_sharedstatedir}/nfs/xtab +%config(noreplace) %verify(not md5 size mtime) %{_sharedstatedir}/nfs/etab +%config(noreplace) %verify(not md5 size mtime) %{_sharedstatedir}/nfs/rmtab %config(noreplace) %{_sysconfdir}/request-key.d/id_resolver.conf %doc linux-nfs/ChangeLog linux-nfs/KNOWNBUGS linux-nfs/NEW linux-nfs/README %doc linux-nfs/THANKS linux-nfs/TODO @@ -300,7 +330,7 @@ fi %{_sbindir}/nfsdcltrack %{_mandir}/*/* %{_unitdir}/* -%{_libexecdir}/%{name}/scripts/* +%attr(755,root,root) /usr/lib/systemd/scripts/nfs-utils_env.sh %attr(4755,root,root) /sbin/mount.nfs /sbin/mount.nfs4 @@ -308,6 +338,44 @@ fi /sbin/umount.nfs4 %changelog +* Fri Jan 23 2015 Steve Dickson 1.3.0-0.8 +- Stop sm-notify from running in HA environments (bz 1182692) +- Set the GSS_USE_PROXY variable in nfs-utils_env.sh (bz 1183821) + +* Thu Jan 15 2015 Steve Dickson 1.3.0-0.7 +- rpc.idmapd now comes down with the nfs server (bz 1159234) + +* Wed Jan 7 2015 Steve Dickson 1.3.0-0.6 +- Corrected argument names in the systemd scripts (bz 1170364) +- Added RELRO check (bz 1092543) +- Properly parse IPv6 literal strings with null termination (bz 1161490) +- Added the 'nordirplus' export flag to disable v3 readdirplus (bz 1161458) + +* Fri Nov 14 2014 Steve Dickson 1.3.0-0.5 +- Fixed a mound DOS (bz 1163891) + +* Fri Oct 24 2014 Steve Dickson 1.3.0-0.4 +- Added verbosity back to umount (bz 923582) + +* Wed Oct 15 2014 Steve Dickson 1.3.0-0.3 +- Enable gssproxy in /etc/sysconf/nfs (bz 1082746) + +* Mon Sep 29 2014 Steve Dickson 1.3.0-0.2 +- Upgrade to latest upstream systemd scripts (bz 1144440) +- Taught start-statd to use systemd (bz 1144440) +- Repaced rpc.svcgssd with gssproxy (bz 1082746) + +* Fri Sep 19 2014 Steve Dickson 1.3.0-0.1 +- Added configurable timeout to rpc.gssd (bz 1009528) +- Added callback to sm_notify (bz 1108105) +- mountd: Fixed path in start-statd (bz 1116794) +- rpc.gssd: Fixed silent error message (bz 1117384) +- rpc.gssd: add the acceptor name to the info passed in downcall (bz 1088011) +- nfs-utils.spec: fixed runtime configuration files (bz 1118177) +- exportfs: fix test of NULL pointer in host_pton() (bz 1083018) +- gssd: Fixed errno typo in get_servername() (bz 1082480) +- nfsiostat: documented the output better (bz 1109864) + * Wed Mar 26 2014 Steve Dickson 1.3.0-0.0 - Updated to latest upstream release: nfs-utils-1-3-0 - mount.nfs: Fix fallback from tcp to udp (bz 984901) @@ -677,7 +745,7 @@ fi - Updated to the latest pseudo root release (rel10) which containts the upstream pseudo root release -* Mon Jan 12 2010 Steve Dickson 1.2.1-9 +* Tue Jan 12 2010 Steve Dickson 1.2.1-9 - Updated to latest upstream RC release: nfs-utils-1-2-2-rc5 * Mon Jan 4 2010 Steve Dickson 1.2.1-8 @@ -1068,7 +1136,7 @@ fi - Added -o nordirplus mount option to disable READDIRPLUS (bz 240357) - Disabled the FSCache patch, for now... -* Wed May 10 2007 Steve Dickson 1.0.12-5 +* Thu May 10 2007 Steve Dickson 1.0.12-5 - Fix mount.nfs4 to display correct error message (bz 227212) - Updated mountd and showmount reverse lookup flags (bz 220772) - Eliminate timeout on nfsd shutdowns (bz 222001) @@ -1111,7 +1179,7 @@ fi * Wed Dec 13 2006 Steve Dickson 1.0.10-5 - Stopped v4 umounts from ping rpc.mountd (bz 215553) -* Wed Nov 28 2006 Steve Dickson 1.0.10-4 +* Tue Nov 28 2006 Steve Dickson 1.0.10-4 - Doing a connect on UDP sockets causes the linux network stack to reject UDP patches from multi-home server with nic on the same subnet. (bz 212471) @@ -1242,7 +1310,7 @@ fi - Updated libevent from 1.0b to 1.1a - Added libgssapi-0.4 and librpcsecgss-0.6 libs from CITI -* Tue Sep 8 2005 Steve Dickson 1.0.7-16 +* Thu Sep 8 2005 Steve Dickson 1.0.7-16 - Reworked the nfslock init script so if lockd is running it will be killed which is what the HA community needs. (bz 162446) - Stopped rpcidmapd.init from doing extra echoing when @@ -1273,7 +1341,7 @@ fi * Wed Apr 13 2005 Steve Dickson 1.0.7-6 - Fixed misformated output from nfslock script (bz 154648) -* Mon Mar 29 2005 Steve Dickson 1.0.7-4 +* Tue Mar 29 2005 Steve Dickson 1.0.7-4 - Fixed a compile error on x86_64 machines in the gss code. - Updated the statd-notify-hostname.patch to eliminate a segmentation fault in rpc.statd when an network @@ -1368,7 +1436,7 @@ fi by default, there only needs to be away of turning them off. -* Thu May 10 2004 +* Mon May 10 2004 - Rebuilt * Thu Apr 15 2004 @@ -1443,7 +1511,7 @@ fi - Upgrated to 1.0.6 - Commented out the acl path for fedora -* Thu Aug 27 2003 Steve Dickson +* Wed Aug 27 2003 Steve Dickson - Added the setting of lockd ports via sysclt interface - Removed queue setting code since its no longer needed @@ -1453,7 +1521,7 @@ fi * Wed Jul 23 2003 Steve Dickson - Commented out the acl patch (for now) -* Wed Jul 21 2003 Steve Dickson +* Mon Jul 21 2003 Steve Dickson - Upgrated to 1.0.5 * Wed Jun 18 2003 Steve Dickson @@ -1542,7 +1610,7 @@ the mountd man page. - don't use rquotad from here now; quota package contains a version that works with 2.4 (#33738) -* Tue Mar 12 2001 Bob Matthews +* Mon Mar 12 2001 Bob Matthews - Statd logs at LOG_DAEMON rather than LOG_LOCAL5 - s/nfs/\$0/ where appropriate in init scripts @@ -1568,7 +1636,7 @@ the mountd man page. - Fix incorrect file specifications in statd manpage. - Require gawk 'cause it's used in nfslock init script. -* Thu Dec 13 2000 Bob Matthews +* Wed Dec 13 2000 Bob Matthews - Require sed because it's used in nfs init script * Tue Dec 12 2000 Bob Matthews